Cyberattacks Escalate Around The Globe

This is TALK OF THE NATION. I'm Neal Conan in Washington. Last month, customers of Bank of America, JP Morgan Chase and Wells Fargo and several other banks were unable to access their bank accounts. Hackers overwhelmed the sites with traffic that made them extremely slow or totally unresponsive. No funds were lost, but it was a nuisance.

Months earlier in Saudi Arabia, a virus named Shamoon spread through 30,000 of the computers of ARAMCO, the world's largest oil company, and erased file after file.

Cyber war isn't fiction, it's underway. The. U.S. and Israel reportedly launched attacks that set back Iran's nuclear program by a year or maybe more. U.S. officials reportedly believe Iran's cyber warfare unit tested U.S. banks last month and the Saudi computers last summer, and last week Defense Secretary Leon Panetta warned of a cyber-Pearl Harbor.

Hackers, are the defenses any better than they used to be? And if you're on the flip side, if you work to secure critical facilities, what's changed for you? Give us a call, 800-989-8255. Email talk@npr.org. You can also join the conversation on our website. That's at npr.org. Click on TALK OF THE NATION.

Later in the program, U.S. Naval Academy Professor Bruce Fleming asks: Do we still need military academies? But first, David Sanger joins us here in Studio 3A, chief Washington correspondent for The New York Times. His latest book is titled "Confront and Conceal," and good to have you back on TALK OF THE NATION today.

DAVID SANGER: Wonderful to be back with you, Neal.

CONAN: And Secretary Panetta did not publicly name Iran as the source of those attacks. What's the evidence that they are the ones responsible?

SANGER: You know, so far we hear from the intelligence community that they believe there are traces back to Iran, but they haven't gone as far as saying that it was necessarily state-sponsored. And the fascinating thing about cyberattacks is that just figuring out what the industry calls attribution, where it came from, is extremely difficult.

And I wouldn't be surprised if, once we learn more about these, people revise their view about where it may have come from. Most attacks that come into the United States are from China and Russia. There's no particular evidence the Iranians are very good at this, although as you mentioned, they announced that they are creating a new cyber corps, back in 2011 after they were first hit with the virus that everyone knew as Stuxnet.

CONAN: And that was the one you reported in the New York Times as having originated in the United States and Israel.

SANGER: That's right. The - Stuxnet itself, just describes a particular version of a computer worm that escaped from the Natanz enrichment plant in the summer of 2010. But it was part of a much broader effort - covert effort - by the United States and by Israel that I describe in "Confront and Conceal," which goes back to the earliest days - I'm sorry, the later days of the Bush administration and the earliest days of the Obama administration.

And this was designed to find a non-military way to slow down - not stop, but slow - the Iranian nuclear progress. And it really is the creation of a very new and different kind of weapon because most computer attacks that you see are that you mentioned for ARAMCO, or they're denial-of-service attacks on the banks. This was completely different.

This was going through a nation's computers in order to blow up the centrifuges that spin at supersonic speeds and produce uranium. So it's using a computer attack to do something that previously we could only do through sabotage or, say, an air attack.

CONAN: And as an alternative to war, what we think of as war, but isn't cyberwar war, and isn't - if the Iranians believe we were behind Stuxnet and its friends, well, isn't turnabout fair play?

SANGER: It could well be, and it is a new form of warfare and a new form of sabotage, but it's warfare nonetheless. And, you know, I think there's a temptation to think that most cyber-events are pretty bloodless. You know, so you can't get into your bank account, you can't get into your email and so forth, and a lot of it is. A lot of it's just the theft of intellectual property, and that's what the Chinese are frequently accused of by Google, and American defense contractors and others.

But when you begin to mess with cyberattacks that can hit infrastructure, then it suddenly becomes a little less bloodless. I mean, in this case, they were trying to stop some centrifuges, thousands of them, that were spinning deep underground in the Iranian desert and, thus, far away from everything else. But you can imagine an infrastructure attack on a water system or on an electric power system or on a cell phone network or an emergency responder's network that could cause a significant number of deaths.

CONAN: And blackouts, if it's the grid, well they can cause a lot of havoc.

SANGER: They can, and they can cause panic and so forth, and we've seen that just with blackouts up and down the East Coast that weren't caused by cyber effects, but just by error. And that gets at, actually, an interesting element of cyber warfare, which is the most elegant cyber attacks replicate something that happens ordinarily, like a power outage, so that it's not immediately clear that it was a cyber attack.

And that was the key to Olympic Games. The Iranians had bought centrifuges, a really bad design, from the Pakistanis; and these centrifuges periodically would spin out of control and blow up. So for the first two years or so that the Iranians were hit by various versions of the bug that was designed by the U.S. and Israel, they really didn't know what was happening. In fact, they fired a lot of their engineers, thinking that they were just making mistakes.

It wasn't until the Stuxnet virus escaped, because of a programming error, that many Americans attribute to Israel and the Israelis attribute to the United States and so forth, that the Iranians suddenly realized hey, there was something else going on here.

CONAN: An offensive attack by, they presume, the United States and Israel, I'm sure they do.

SANGER: And in fact they said right after the attack, I'm not sure with how much evidence, that it was the United States and Israel. They certainly didn't think it was Switzerland.

CONAN: A point given, and Secretary Panetta, well, as mentioned did not necessarily name Iran, but he did announce changes in the way the U.S. would respond to cyber attacks, what are known as the standard rules of engagement.

SANGER: He did. He - but he didn't say what the changes were going to be.

CONAN: Yeah, no specifics.

SANGER: So, you know, here's - the best analogy for this, Neal, is to go back to the pre-emption doctrine of the Bush administration. You'll remember that after 9/11, in 2002, President Bush issued a new national security strategy. And what it said was, if the United States sees an attack massing, then it may act preemptively. And that was essentially an argument for the Iraq war.

So pre-emption has been largely discredited by virtue of the fact that we didn't find weapons of mass destruction in Iraq, and it's certainly a risky way to operate. But many people who spend their time thinking about cyber wars say look, the cyber attack, once it comes in, takes about 300th of a millisecond. So if you're going to stop it, you've got to stop it either before it happens or just as it's coming across the gateway through an Internet service provider in the United States.

But if you just wait and watch it go by, then all you're going to say is gee, that's going to hurt. So the question is: Should the Pentagon, should the National Security Agency, be in the business of issuing, essentially, pre-emptive cyber strikes because they see that in some server in China or Iran or Russia or someplace else there is a cyber attack getting ready to come across our borders?

CONAN: It also suggests that offenses are in better shape than defenses.

SANGER: Well, in the cyber world, the offense has all the advantage because detecting a cyber attack coming in is difficult, and stopping it even after you detect it is really, really hard. So, one of the purposes of offense is to act as a deterrent, just as in the nuclear world.

You can say, you know, you might think about sending your missiles here, but we have a way of wiping you out a few minutes later. The difference is that in the old nuclear world, when there was an attack launched, you know, there were those guys sitting under the mountain in Colorado watching the incoming missiles. In cyber, you're never entirely sure where the attack is coming from, thus the difficulty, months after this attack in Saudi Arabia, in figuring out exactly what - who launched it.

CONAN: Our guest is David Sanger, chief Washington correspondent for The New York Times. And, well, let's find out more about those defenses. We'd like to hear from the hackers in our audiences. What's changed? Are things beefing up? 800-989-8255. Email is talk@npr.org. If you're on the other side, if you're in charge of protecting the cyber security of something like, oh, a power station, we'd like to hear from you, too, and that again is 800-989-8255. But we'll begin with Steven(ph), and Steven's on the line with us from Fort Smith in Arkansas.

STEVEN: Yes, hello. Hi, your guest said that one of the difficulties is knowing where an attack comes from. One of the more recent - well, I say recent but it's been around for several years - is distributed computing attacks. Some of the more prevalent ones have been the Church of Scientology was attacked by distributed computers. I think the hackers counted - it was around 30 or 35 million computers participating.

And there have also been forced - those were willing participants. There have also been viruses distributed that allow the controller to use 30 or 40 million computers to execute a single attack. And unlike nuclear war, you're not looking at, you know, missiles coming from specific sites. You're looking at specific attacks coming from all over the world, millions of computers at a time all doing the same action.

CONAN: These are typically denial-of-service attacks.

STEVEN: Well, they've also been used to crack credit card databases. I believe, oh, TJ Maxx, when they lost all theirs, there was a BDOS attack against their firewalls that caused them fail and then to get access to their credit card accounts.

CONAN: David Sanger, distributed systems, these one computer operator can engage all these computers around the world, joining his - enlist him in his forces, they're sort of robots, without their owners' knowledge.

SANGER: That's right, enlisting them unknowingly. You know, and this can happen by spreading a worm or a virus around through these systems, and they're all timed to attack at the same time. And as you said, Neal, many of these are just denial-of-service attacks. They're meant to be disruptive. But sometimes they could, if they are properly aimed and focused, they could work to crack the safe.

This is part of what makes the defense here so difficult. So you've got two different problems. One is you're never quite sure who was the initial creator, and then the second is if you are actually trying to stop the attack, you don't have a single point or 10 points or even 100 points where you can aim that effort to stop.

CONAN: This is TALK OF THE NATION. I'm Neal Conan. We've seen an escalation of cyberwarfare in recent years. The Stuxnet virus that attacked Iran's nuclear facilities first went public in 2010. The New York Times later reported it was developed by the U.S. and Israel. Another virus that targeted Tehran, the Flame virus, collected loads of data from Iranian computers.

Last year, the Pentagon confirmed that an unspecified foreign intelligence service accessed thousands of sensitive U.S. files. The website of the United States Senate was attacked by the hacker group LolzSec. And hackers reportedly breeched Lockheed-Martin's networks on May of 2001.

As we heard, earlier this year, an attack widely attributed to Iran wiped out 30,000 computers in Saudi Arabia. Hackers, are the defenses any better than they used to be? If you're on the flip side, if you work to secure critical facilities, what's changed? 800-989-8255. Email talk@npr.org. You can also join the conversation on our website at npr.org. Click on TALK OF THE NATION.

David Sanger is our guest, chief Washington correspondent for The New York Times, his latest book "Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power." And this is an email from Colin in California: President Obama early in his term declared cyberattacks to be an act of war. Does this mean we've declared war on Iran or summarily started one? And if so, does that mean the president can simply start a war of choice without having to send a destroyer into the Gulf of Tonkin? That of course referring to the famous incident, which was - set off the U.S. - grand escalation of U.S. involvement in Vietnam back in 1964.

SANGER: It's a superb question. There are a few ways to sort out the answer. The first is that President Obama, I think, when he came to office initially, if you think about what he said about cyber during the campaign, he thought of it mostly in terms of personal privacy. He was concerned about the security of American networks. But I don't think he got very involved and had thought much about offensive cyberattacks until actually the day that he went in to go see President Bush a few days before President Obama's inauguration.

They had a one-on-one meeting in the Oval Office. And during that time, President Bush said to him, you know, there are two programs you're going to want to hold on to. One is the drones program over Pakistan, and the other is Olympic Games, this program in Iran. He learned a lot about it after that, and yet as your caller, the email writer, suggests, President Obama, the constitutional lawyer in him I think was quite concerned about whether or not an American and Israeli-launched cyberattack would eventually - this was eventually, the word of it would get out - become the pretext for others to launch cyberattacks on the United States and say, well, look, we're not doing anything to you that you're not doing to the Iranians.

I think that was one of the reasons that they were so concerned about this getting out. On the other hand, there is a group within the Pentagon and within the intelligence agencies who believe that there is some value in the United States announcing its cyber capabilities because it could act as a deterrent.

And you saw Secretary Panetta in that speech you referred to before the break walk right up to the edge. He almost used the word we have - the words we have offensive cyberpower. Instead, he used some code words around it.

CONAN: There is also the suggestion that if it's effective enough, it could be the pretext for a shooting war.

SANGER: Certainly it could. In fact, when you look at what the Pentagon has said, and they haven't said much, about how the U.S. would respond to a cyberattack on the United States, they have basically said that the United States would be free to respond with all elements of U.S. power.

So it could be that you respond to a cyberattack with a cyberattack, but as you suggest, if it was something they feared was going to turn off defense satellites or turn off New York City or whatever, I think they'd want to leave open the possibility that they could use a conventional weapons response in response to a cyberattack.

CONAN: Let's get another caller in on the conversation. Andy's on the line with us from Oklahoma City.

ANDY: Yeah, I worked in security for nuclear power plants, very conventional forms of security, you know, 15, 20 years ago, mostly in Tennessee. And the people who made more money than I did used to discuss credible threats, you know, what - just to get your brain around what potential threats are out there. These are some, you know, game theory in practice form.

And I'm wondering if our leaders, when they're making budgets and plans, are they going to educate us in how to assess threats now? And the congressmen have a lot on their plate. How much money, time and energy is being spent for, you know, (unintelligible) down the hill, is he being trained properly? Who's training him, and how does it affect the outcome of our spending and, you know, what line item is that?

CONAN: David Sanger?

SANGER: That's a very good question. This year, the administration has tried to push through, and failed to push through, a cyber protection bill that would basically have required private industry for critical infrastructure to not only work with the government on these kind of protections but also be forced to report cyber incidents and pay for some of their protections.

And it was defeated by lobbyists who, and maybe in the industry, who first of all didn't want more government regulation, and certainly that's a big issue through the campaign, and secondly, didn't want to be forced to go pay for much of the cyberprotection, although obviously banks and other institutions pay a lot of money to do this right now anyway.

But to your question of how much members of Congress know about it, with the exception of members of certain committees that I think deal with this frequently - Intelligence, Armed Services - they don't know much. And it came to the point where last spring, trying to get the bill through, the administration invited a number of members of the Senate into a classified briefing room and basically ran through a simulation in which a worker at the utility in New York City gets an email from a friend that turns out to be a phishing attack, and that ends up tripping the lights out throughout New York City.

And they were trying to put together basically a pretty credible scenario to educate the members of Congress.

CONAN: Andy...

ANDY: Do you think that we're - are we getting enough fear generated for this? I'm just wondering, are they addressing the doomsday scenarios?

SANGER: I think that's why we heard cyber-Pearl Harbor just last week from Secretary Panetta.

And it's an interesting question of whether or not we're hearing too much fear. I mean, remember there's a whole industry built around cyberprotection right now, and that industry is dependent on whipping a good deal of fear. That isn't to say that cyberattacks aren't real; they happen every day, but the question is how do you measure the response?

CONAN: Andy, thanks very much for the call. But given that, the inability to pass that bill earlier this year, David Sanger, isn't it as interesting not only what Secretary Panetta had to say last week but where he said it?

SANGER: That's right, he gave this speech on the old aircraft carrier that is I think the Intrepid, which is in New York Harbor on the West Side, and he was trying to make the argument - he was talking to a group of business executives who are focused on national security issues. And he was trying to make the argument, because it was an aircraft carrier, that we are as vulnerable today as we were back in the Pearl Harbor days.

Pearl Harbor may not be the world's greatest analogy for this, and there's a lot of debate back and forth. But there are a lot of people who believe that the only thing that will actually force a new set of protections that private industry would be forced to take would be a significant attack, just as 9/11 changed the way we think about airport security, that a big cyberattack would change the way we think about network security.

CONAN: Let's go to Ed, and Ed's on the line with us from San Antonio.

ED: Hey, Neal, how are you doing?

CONAN: Good, thanks.

ED: Yeah, my comment is I know for us, we in the energy sector I work in, the control rooms are actually isolated from the main networks. So they don't have abilities to get through. And that was one of the things as far as our audit we always had to comply with to make sure that nobody was, you know, reaching our network protocols.

So is that the case across the board? Because when I heard about the Iran situation, that's the first thing that - fears into my head, was if this hardware is capable through kind of any kind of any network connection, that leaves them wide open for any kind of attack.

SANGER: It's a great question. The Iranians did what your company and many other companies did, which was they've created what's called an air gap, basically an electronic moat around their Natanz nuclear enrichment plant and their other nuclear facilities, so that they're not connected to the Internet.

And a lot of companies think that that is the ultimate protection against getting hacked. And if you ask computer professionals, they will tell you that to somebody who's really dedicated at this, it's a speed bump, but it's only a speed bump.

So one of the things the U.S. and Israel had to do in order to make the Olympic Games work was they had to find a way to get the computer worm into the system and get through that air gap. And, you know, you can imagine all kinds of conventional ways of doing that, giving somebody a USB stick, you know, that they'd go in. They may not even know what's on it, somebody who's going into work in the plant anyway and hooking it up to their laptop computer.

And it looks in fact that that's how the Stuxnet virus got out; that an engineer, an Iranian engineer probably had no idea what was going on, hooked into the control panel at Natanz and this ramped-up version of the worm that became known as Stuxnet leapt onto his laptop computer. He packed up and went home. Got home. Signed onto the Internet. And the next thing everybody discovered in Washington was that millions of copies of this worm that they had spent years developing were being replicated around the world.

ED: OK. Yeah. That makes sense. I mean, we block USB in the lab. And, basically, anything that goes into the control room is regulated. I mean, obviously, you can't - it's all about physical security as well, on top of the, you know, the security on the (unintelligible).

SANGER: The Pentagon does the same thing now since they had a similar issue.

CONAN: And, Ed...

ED: Right.

CONAN: ...you could also see, though, if you have that kind of air gap. Well, you know, you don't protect security inside it quite the same way...

ED: Yeah, yeah, exactly.

CONAN: ...because you think you're protected. Anyway, interesting call. Thank you very much for the conversation. Now, let's see - we go next to - this is Michael. Michael with us from Minneapolis.

MICHAEL: Hey. I'm actually a computer security consultant in Minneapolis. This is kind of my bread and butter. And the thing I wanted to say was that the bill that you're talking about that didn't get passed kind of espouses an outmoded philosophy as far as computer security. It's talking about detecting attacks and preventing them in the first place. But the problem is that the attacks have already happened. In a lot of cases, there have been - Department of Defense computers, for example, or a Fortune 500 company computer that have already been compromised.

So we can't detect the breach because it's already happened. These security systems were designed before there was another state cyber threat in place. They're not designed to protect against a threat like Stuxnet or something along those lines. So this bill is going to create a massive expensive, ineffective domestic surveillance network that isn't actually going to prevent any kind of breach.

CONAN: David?

SANGER: You know, you've identified a significant problem which is if a piece of equipment has already been infected, if a piece of equipment was imported and it was infected before it got into the United States, then protecting the network is not necessarily going to help you. And it's one of the reasons that you see all this controversy about bringing in Chinese-made sophisticated server equipment because of the fear that one might never be able to detect what's been put inside. And they're not just China, but it's the Chinese because they've gotten so good at producing some of these that have been the focus of much that argument.

CONAN: Michael, thanks very much.

MICHAEL: Yeah. Thank you, guys.

CONAN: We're talking with David Sanger of The New York Times, the author of "Confront and Conceal: Obama's Secret Wars and Surprising Use of American Power," about cyberwar. You're listening to TALK OF THE NATION from NPR News. And as you see these charges and warnings flying around, David, a lot of the questions that are being asked are legal questions. And the same lawyer who at the State Department who eventually came up with the rationale for the drone program is working on cyberwar.

SANGER: That's right. The general counsel at the State Department, Harold Koh, who used to be dean of Yale Law School, very knowledgeable, very sophisticated legal scholar, worked for a long time when he first came into the State Department on coming up with a better public explanation of how the United States legally justifies the drone strikes. And you might agree with him or you might disagree with him, but he's come up with a legal construct that's based on the legislation that was passed soon after 9/11; much more difficult thing to do in the case of cyber.

The United States has a series of internal guidelines. They haven't talked about them very much. And one thing that we do know is that if the U.S. launches a cyberattack, I was told in the course of the reporting for "Confront and Conceal," the president has to personally approve any kind of cyber action, and that was true during the Bush administration. It's been true during the Obama administration. But that said, there isn't much of a legal framework around about when the United States attacks or doesn't.

And part of the difficulty in creating one is that the entire U.S. offensive program, offensive weapons program for cyber has been very highly classified. And so you can't discuss the rules about how you would use a weapon if you can't acknowledge the fact that you've got the weapon. And I've been making this point as I've been talking on the subject at various times since the book came out in June because, you know, we've found ways to talk about how to use nuclear weapons, but it took 20 years after Hiroshima.

You know, all through the Cuban missile crisis, which was 20 years ago this week - I'm sorry - 50 years ago this week, we had, you know, back-and-forth arguments about whether or not you could use nuclear weapons against the Soviet Union and what the provocation could be. And, of course, President Kennedy was advised by some of his military advisers to go use nuclear weapons during the early days of the Cuban missile crisis 50 years ago. Eventually, we came to an understanding of how we would and would not use those weapons. And fortunately, we haven't used them again.

CONAN: And it was a mutual understanding. The Soviets came to the same realization.

SANGER: That's right. And now, we've gone through the debate again with drones where, again, there's a set of rules about when you would use drones, what kind of states you can use them in, whether or not you have to be invited in by the country and so forth. And even though the drone program is still classified, we gradually managed to have that conversation. We haven't even begun to have that conversation about cyber.

CONAN: It's just beginning to be acknowledged publicly. And as you say, Secretary Panetta last week ran right up to the edge of saying that we have offensive capabilities but didn't step over.

SANGER: That's right. I mean, I think it's a pretty well accepted fact now that the United States was behind the attacks on Iran along with other states, Israel and others who helped. But the U.S. has never acknowledged that. And until they do acknowledge it or until they do at least acknowledge that there was an offensive capability, it's very hard to have a debate about how you'd use it.

CONAN: Email from or, excuse me, a tweet from WCGeekChick: How can we expect other countries to respect our networks when our own country is launching attacks on other nations? Further, if utilities are critical, why are they being connected to the Internet in the first place, clueless and begging for attack? Well, banks are connected to the Internet. Well, everybody does Internet banking.

SANGER: That's right. And so then the question is, can you have certain parts of your capability attached to the Internet so that we can do our Internet banking but be able to protect the truly vital elements of it and separate those out and have good protections there? And that's a very difficult question. And then on top of that, you have another problem, which is that companies are attacked all the time, but they don't want to admit to it because they don't want to encourage further attacks and perhaps they're afraid their shareholders would get a little nervous.

CONAN: David Sanger, as always, thanks very much for your time.

SANGER: Thank you.

CONAN: David Sanger, chief Washington correspondent of The New York Times. Coming up, a long-time professor at the U.S. Naval Academy poses a provocative question: Do we still need naval - military academies? Bruce Fleming will join us next. I'm Neal Conan. Stay with us. It's the TALK OF THE NATION from NPR News. Transcript provided by NPR, Copyright NPR.